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DETAILED ACTION 

This office action is in reply to an amendment filed on June 12, 2008. Claims 1,4, 11, 
18, 21, 29 and 32 have been amended and claim 3 has been canceled. Claims 1, 2 and 4-39 
are pending. 

Response to Arguments 

Applicant's arguments filed June 12, 2008 have been considered but are moot in view of 
the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1, 2 and 4-39 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

Levergood et al. US 5,708,780 (hereinafter Levergood) in view of applicant's own admitted prior 

art (hereinafter AAP A) and further in view of Abdo et al. US 7,080,404 B2 (hereinafter Abdo). 

As per claims 1, 4, 8-11, 18, 20, 21, 24, 26-29, 31, 32 and 35, Levergood teaches a 
method for protecting a distributed application user, comprising: 

providing a distributed application on a server (i.e., web-pages on a server) [column 5, 
lines 17-41]; 
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authenticating a user of the distributed application [column 5, lines 41-50 and column 6, 
lines 27-50]; 

determining, on the server, a security value for the authenticated user (i.e., SID is 
generated for an authenticated user) [column 5, lines 41-64 and column 6, lines 53-column 7, 
line 13]; 

associating the security value with a set of uniform resource locators (URLs) 
corresponding to a set of commands of the distributed application [column 5, line 49-column 6, 
line 4 and column 7, lines 14-31]; 

communicating the security value to a client operated by the authenticated user [column 

5, line 49-column 6, line 4 and column 7, lines 14-31]; 

receiving one of the set of URLs on the server from the client [column 5, line 64-column 

6, line 16 and column 7, lines 14-21]; and 

checking the one URL for the security value (i.e., check if SID is attached to the URL) 
[column 5, lines 41-49 and column 6, line 65-column 6, lines 26 and column 7, lines 35-47], and 
returning an error message to the authenticated user if the security value is not found with the 
one command, wherein the error message prompts the authenticated user for confirmation 
before the one command can be executed (i.e., if SID is not detected with the URL, redirecting it 
back to the client and requesting the client to submit authentication credentials again for 
validation/confirmation column 5, lines 46-50 and column 7, lines 41-49). 

Levergood teaches associating the security value with a set of uniform resource locators 
(URLs) corresponding to a set of commands of the distributed application [column 5, line 49- 
column 6, line 4 and column 7, lines 14-31], but is silent on a command comprising a command 
that can be used in a malicious attack against authenticated user. However, AAPA teaches 
associating the security value with a set of uniform resource locators (URLs) corresponding to a 
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set of commands of the distributed application, wherein each command comprises a command 
that can be used in malicious attack against authenticated user [see specification pages 1-2 
paragraphs 2-4]. Therefore, it would have been obvious to one having ordinary skill in the art at 
the time of applicant's invention to employ the teachings of AAPA within the system of 
Levergood in order to enhance the security of the system. 

Levergood is silent on generating a security value for an authenticated user of the 
distributed application, wherein every user is authenticated prior to generating the security value 
and the security value is a pseudo-random number. 

Abdo teaches an authentication system, including generating a security value for an 
authenticated user of the distributed application, wherein every user is authenticated prior to 
generating the security value and the security value is a pseudo-random number [column 4, 
lines 18-53]. It would have been obvious to one having ordinary skill in the art at the time of 
applicant's invention to employ the teachings of Abdo within the system of Levergood and AAPA 
in order to further enhance security of the system. 

As per claims 2, 12, 19 and 30, AAPA further teaches the method, wherein the one 
command comprises a command to delete files of the authenticated user [see specification 
pages 1-2 paragraphs 2-4]. 

As per claims 5, 17, 22 and 33, Levergood further teaches the method further 
comprising storing the security value on the server [column 6, lines 5-23]. 

As per claims 6, 13, 23 and 34, Levergood further teaches the method further 
comprising: associating the security value with session information corresponding to the 
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authenticated user, and communicating the session information and the security value to the 
authenticated user [column 6, lines 5-23 and column 7, lines 14-21]. 

As per claims 7, 25 and 36, Levergood further teaches the method wherein the 
authenticated user operates a client that communicates with the server [column 6, lines 22-26]. 

As per claims 14 and 37, Levergood further teaches the method wherein the associating 
step comprises appending the security value to a set of URLs corresponding to a set of 
commands of the distributed application [column 5, line 49-column 6, line 4 and column 7, lines 
14-31]. 

As per claims 15 and 38, Levergood further teaches the method wherein the one URL is 
pre-constructed on the server, and wherein client receives the one URL and the associated 
security value from the server [column 7, lines 14-33]. 

As per claims 16 and 39, Levergood further teaches the method wherein the one URL is 
constructed on the client, and wherein the associating step comprises, extracting the security 
value on the client, and appending the security value to the one URL [column 5, lines52-65]. 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant 
is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
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A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to BEEMNET W. DADA whose telephone number is (571 )272-3847. The 
examiner can normally be reached on Monday - Friday (9:00 am - 5:30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

supervisor, Kim Y. Vu can be reached on (571) 272-3859. The fax phone number for the 

organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Beemnet W Dada/ 
Art Unit 2135 
September 13, 2008 
/KimYen Vu/ 

Supervisory Patent Examiner, Art Unit 2135 



